ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31

Analysis

max time kernel
201s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe
Size

923KB
MD5

fced897ad9fc93d6c54386c94ec8c9e4
SHA1

9d228828c7d4cbf933d2369a99786646610d52d9
SHA256

ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31
SHA512

0e2513be1e3f5d162ccbaf4c8a472c21a871f6dc99a8e8db09380b20ff1179ca44966c5901eb7b36e8c42f02fb993dedef6b63522dbae408578ef39d772a440b
SSDEEP

24576:h1OYdaOaS/Yq4hD9S9Acd+lMbXYN9MKONgRsAb:h1OsAYYrS9ldCM8N9MoRsAb

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

if1nBommQ6VgUrW.exe

pid process

3048 if1nBommQ6VgUrW.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

if1nBommQ6VgUrW.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbakbeoceamjjdefjnlfjddiihpdjee\2.0\manifest.json	if1nBommQ6VgUrW.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbakbeoceamjjdefjnlfjddiihpdjee\2.0\manifest.json	if1nBommQ6VgUrW.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbakbeoceamjjdefjnlfjddiihpdjee\2.0\manifest.json	if1nBommQ6VgUrW.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbakbeoceamjjdefjnlfjddiihpdjee\2.0\manifest.json	if1nBommQ6VgUrW.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbakbeoceamjjdefjnlfjddiihpdjee\2.0\manifest.json	if1nBommQ6VgUrW.exe

Drops file in System32 directory 4 IoCs

Processes:

if1nBommQ6VgUrW.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	if1nBommQ6VgUrW.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	if1nBommQ6VgUrW.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	if1nBommQ6VgUrW.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	if1nBommQ6VgUrW.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

if1nBommQ6VgUrW.exe

pid	process
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe
3048	if1nBommQ6VgUrW.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

if1nBommQ6VgUrW.exe

description	pid	process
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe
Token: SeDebugPrivilege	3048	if1nBommQ6VgUrW.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe

description	pid	process	target process
PID 544 wrote to memory of 3048	544	ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe	if1nBommQ6VgUrW.exe
PID 544 wrote to memory of 3048	544	ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe	if1nBommQ6VgUrW.exe
PID 544 wrote to memory of 3048	544	ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe	if1nBommQ6VgUrW.exe

C:\Users\Admin\AppData\Local\Temp\ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe
"C:\Users\Admin\AppData\Local\Temp\ca09550e57423f33085d79613f45663ce71ebe654a3223d3dac5f25d6a315d31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\if1nBommQ6VgUrW.exe
.\if1nBommQ6VgUrW.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\if1nBommQ6VgUrW.dat
Filesize
1KB

MD5
51eaac0c7cc2685b8e2ec0be1156560f

SHA1
7706e7f1a3a118a83cf0d11e949e069402dfc9b3

SHA256
d4f00deea971c186845c52d280d6ea2d49e01439d5faf8cedb0f8fedc2f2f6e1

SHA512
bb90488fe8935f3ead7cadec7d319bbd188d0de66bcf3a7cfa81970d5c74b22c78b51e56366ec4a586394ab49a78a7d017aa41ddfafb79443b484c423cac0d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\if1nBommQ6VgUrW.exe
Filesize
762KB

MD5
8a601a779c987e9dfa9e5aabda8a5761

SHA1
a9a36a255bfd43348aa1b5f8540bf165cba99b04

SHA256
d21458e37a24270fcecc1666a27cd5bef9468c2d1f77c423fa6ae8094f6b8e28

SHA512
6e6e7947636b0eff6bc0c2a10923ad50e5423dcef8ffbc75160b47a5a485bc22bdd8edfed9a895defddc876991a51488436fba7f1cc18ce8df1980c4b90c215d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\if1nBommQ6VgUrW.exe
Filesize
762KB

MD5
8a601a779c987e9dfa9e5aabda8a5761

SHA1
a9a36a255bfd43348aa1b5f8540bf165cba99b04

SHA256
d21458e37a24270fcecc1666a27cd5bef9468c2d1f77c423fa6ae8094f6b8e28

SHA512
6e6e7947636b0eff6bc0c2a10923ad50e5423dcef8ffbc75160b47a5a485bc22bdd8edfed9a895defddc876991a51488436fba7f1cc18ce8df1980c4b90c215d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\mgbakbeoceamjjdefjnlfjddiihpdjee\background.html
Filesize
141B

MD5
18058eef68d6c39efc147302df8f519f

SHA1
8b53d4b4ab5e8c2656fdf0af3b71144ee6572210

SHA256
abdf1a5e28bf1a09a43868df2891dd13c25e2e2593063010454f908898f11d67

SHA512
67ac38bceedb32c10869a0e90767d179f7378e2c0d9f75a8dca430430c1a04ee5686cd4a4f2f04cc2333ee3bf594c1dd661155c216283c7e194cd761fe864862

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\mgbakbeoceamjjdefjnlfjddiihpdjee\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\mgbakbeoceamjjdefjnlfjddiihpdjee\l7w4.js
Filesize
6KB

MD5
5475a3491e7ca0daa178844728b7b90a

SHA1
156bc45c2f190a9ca444b9d8abd8a3d30953bbd1

SHA256
ca5ec6acfb8ce5ce2ac820e8d0c3d210890dc6b07d366c6ed17feba2ce7a9574

SHA512
5454f6635b180608db4478ba0af5dc31ed7ed99decb52c12f6967beb651a25607a6840d8722a32aa06e23945b0692a3c124d0d00b3e5498fd28bd1d43375133f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\mgbakbeoceamjjdefjnlfjddiihpdjee\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\mgbakbeoceamjjdefjnlfjddiihpdjee\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\o8RGi@5.net\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\o8RGi@5.net\chrome.manifest
Filesize
35B

MD5
2c77973c4c00d7bcf127a654c7ddc12b

SHA1
11b92bbd3c625f20b89ef2e78f6fe207780410af

SHA256
7cb815ef4040793cad570becf500c62069bb19951653385f86b3c0245caafe2e

SHA512
47112003775fa8f87d302d6fa36ee5aadf7d9afb1dced3841a56a06a59776f1ef6c7c5951899669489282d0d263f014af2c4299c1689ee69c4bba70620aa7771

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\o8RGi@5.net\content\bg.js
Filesize
9KB

MD5
f8861f85c89495b18f88dbd940bc1ad0

SHA1
2333b19c87ff5abb2b9ecf14fb8091bf29e7be58

SHA256
1421170ecea5458750a8ee3562e4d65ce67d277cf96307ae989b11f4be6c2bca

SHA512
a3152368d2e068aa70f08aefce82f795b186f749d96c9382d189303c32aa84d460288e35478b86dbd788feeb37d9a2c3c47c1a7cbbe03e0d07ad2f1b6092ca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6ADF.tmp\o8RGi@5.net\install.rdf
Filesize
593B

MD5
f328746a17d09e1b9b6ad35e3ade8887

SHA1
8fc05770438a4d0183b293b229d67f199cdca514

SHA256
16281fa591045809f2afd82bd5bc8ecb03cbf4098e6e51b4b7b31ed490c86ff8

SHA512
9dac56d401ae912b0db696b294b79639f35bd0a7890096d736dce058723c7102ec78d69a13924d9342a3795ec66c889c5e4e203af140ae7d9b199240bf44a48c

Download Submit
memory/3048-132-0x0000000000000000-mapping.dmp

Download